Office (OLE) / .DOC malware analysis — malicious · b1abeb50ad8d97b3

MALICIOUS

Office (OLE) / .DOC

63.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: e7c74fea66d9b78a75428ec108a67a79 SHA-1: c3ffbcb56eb0dbcdd5ce8bd8673b629c4ff5b308 SHA-256: b1abeb50ad8d97b35ec417fc93fff109505cd97da9869955cbee95708982796a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The OLE document exhibits a large slack anomaly, suggesting hidden or obfuscated content. A heuristic firing indicates the use of the CreateProcess API, which is commonly used to launch malicious payloads. While a URL was extracted, it was confirmed as benign, and no document body or script content was available for further analysis.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,672 bytes but its declared streams total only 21,151 bytes — 43,521 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.